Wednesday, August 19, 2015

Notes on the Ashley-Madison dump

Ashley-Madison is a massive dating site that claims 40 million users. The site is specifically for those who want to cheat on their spouse. Recently, it was hacked. Yesterday, the hackers published the dumped data.

It appears legit. I asked my twitter followers for those who had created accounts. I have verified multiple users of the site, one of which was a throw-away account used only on the site. Assuming my followers aren't lying, this means the dump is confirmed. Update: one follower verified his last 4 digits of credit-card number and billing address was exposed.

It's over 36-million accounts. That's not quite what they claim, but it's pretty close. However, glancing through the data, it appears that a lot of the accounts are bogus, obviously made up things for people who just want to look at the site without creating a "real" account.

It's heavily men. I count 28-million men to 5 million woman, according to the "gender" field in the database (with 2-million undetermined). However, glancing through the credit-card transactions, I find only male names.

It's full account information. This includes full name, email, and password hash as you'd expect. It also includes dating information, like height, weight, and so forth. It appears to contain addresses, as well as GPS coordinates. I suspect that many people created fake accounts, but with an app that reported their real GPS coordinates.

Passwords hashed with bcrypt. Almost all the records appear to be protected with bcrypt. This is a refreshing change. Most of the time when we see big sites hacked, the passwords are protected either poorly (with MD5) or not at all (in "clear text", so that they can be immediately used to hack people). Hackers will be able to "crack" many of these passwords when users chose weak ones, but users who strong passwords are safe.

Maybe 250k deleted accounts. There are about 250k accounts that appear to have the password information removed. I don't know why, maybe it's accounts that have paid to be removed. Some are marked explicitly as such, others imply that.

Partial credit card data. It appears to have credit card transaction data -- but not the full credit card number. It does have full name and addresses, though. This is data that can "out" serious users of the site.

You can download everything via BitTorrent. The magnet number is40ae8a90de40ca3afa763c8edb43fc1fc47d75f1. If you've got BitTorrent installed, you can use this to download the data. It's 9.7 gigabytes compressed, so you'll need a good Internet connection.

The hackers call themselves the "Impact Team". Their manifesto is here. They appear to be motivated by the immorality of adultery, but in all probability, their motivation is that #1 it's fun and #2 because they can. They probably used phishing, SQL injection, or re-used account credentials in order to break in.

They deserve some praise. Compared to other large breaches, it appears Ashley-Madison did a better job at cybersecurity. They tokenized credit card transactions and didn't store full credit card numbers. They hashed passwords correctly with bcrypt. They stored email addresses and passwords in separate tables, to make grabbing them (slightly) harder. Thus, this hasn't become a massive breach of passwords and credit-card numbers that other large breaches have lead to. They deserve praise for this.

Josh Duggar. This Gawker article appears correct from my reading of the data.

Please remove the magnet link. The information is not for the public to see and helping distribution of this illegally obtained information is putting people in real danger. For gay men, it might put them in danger for their life upon returning to countries in which homosexuality is treated with the death penalty, just to name an example.

Distributing the magnet link means encouraging others to participate in a violation of privacy of *millions*. If this was a dump of other highly sensitive data, say, pictures of children and where they live, then it might be more obvious to you that spreading this data was deeply unethical. But this is not really different, and encouraging others to spread the data means that you are too guilty in all the peril that will come from this hack.

Somebody at Gawker media is seeding a copy 100% {gawkermedia.metroe.dmarc.lga6.atlanticmetro(DOT)net} I loaded the magnet earlier then clicked reverse DNS. It's all very well to report such a story, but to be actively participating in the leaks distribution..?

There's a lot that could be said, here, such as, "all good things must come to an end; everything has its consequences; there's a price for everything and everything has its price," to name a few, but my favorite is, "if you're going to play, you gotta pay." That's right. Nothing is for free. Not to play the morality card, but did these fools that signed up for the site actually think they could never be caught? That they would never have to pay for their behavior? Seriously? I've done my share of bad behavior in my life, so I know--you really get away with nothing.

Maybe the lesson is that cheating on your spouse is not so much fun. It was waiting to happen if you know anybody who is still hiding behind Match.com, MatureSinglesOnly.com, or similar I would advice them to stop. You never know when your turn may be coming.